Citibank helps phishers improve their bait?

It took three security experts and almost a full working day to confirm Citibank Australia's e-mail wasn't a clever phishing attempt.
Written by Munir Kotadia, Contributor

It took help from three security experts, Citibank's spokesperson, dozens of e-mails and almost a full working day of investigation to confirm that an e-mail I had seen from Citibank was not actually a clever phishing attempt.

This particular e-mail was sent by Citibank Australia at the end of October to inform customers that its online security system had been revamped so they should visit the Web site and update their log-in credentials.

However, around the same time this legitimate e-mail was being distributed by Citibank, the following phishing attacks were also taking place, according to UK-based phishing archive site MillerSmiles:

  • On October 23, in Indonesia, some people received e-mails telling them about an update to Citibank's security system. It asked them to update their log-in details
  • On October 25, this time in Texas, users received an e-mail saying: "Citibank has changed security screening procedures for online banking, please follow the given instructions in order to comply with our additional security requirements"
  • On October 30, an e-mail that seemed to come from Citibank asked French recipients to confirm their e-mail address
  • On November 4, some users reported an e-mail informing them that Citibank was updating its security systems: "Once you have enrolled in our security upgrade your pending Citibank account transactions will not be interrupted and will continue as normal," the e-mail said.

So how are online banking users supposed to tell the difference between a phishing e-mail and a real e-mail from their bank? Usually, the easiest way is to look for spelling mistakes and bad grammar.

Unfortunately, with the "flawless" e-mail that Citibank sent to Australian customers, fraudsters probably have the best template for future phishing attacks that they could ever hope for.

Phishing is not a new phenomenon and banks are losing more money than ever before because of this activity.

In the UK last week, the Association of Payment Clearing Services (APACS) said that phishing incidents have increased almost 1,500 percent year-on-year and UK banks lost around AU$56 million (22.5 million pounds) in the first six months of the year -- compared with AU$36 million (14.5 million pounds) during the same period last year.

So the problem is not going away.

The Australian Payments Clearing Association (APCA) does not release equivalent figures for the domestic market. However, I would be very surprised if the relative loss per user, or the increase in total losses, are any different.

What should banks do?
According to Neil Campbell, national security practice manager at Dimension Data, they should stop using e-mail altogether.

"In order to reduce the effectiveness of phishing e-mails I believe all banks should refrain from communicating with their customers via e-mail... In this case, Citibank may have been better off communicating this message to users via their Internet banking site either before or after they log on -- preferably after, in my opinion," Campbell said.

Patrik Runald, senior security specialist at antivirus firm F-Secure believes that banks should "think twice" before e-mailing customers and he suggests that maybe more traditional methods of communication should be revisited.

"My bank in Singapore, DBS, is switching from a username/password combo to two-factor authentication and they sent snail mails to all their customers," he said.

"They also promoted it on their ATMs for a few weeks before making the switch.

"It makes much more sense to me to do it this way than sending e-mails," said Runald.

What possessed Citibank to send such an e-mail? Bronwyne Edwards, the consultant who first brought this issue to my attention, probably has the most believable explanation: "It looks to me like a couple of marketing people came up with it after having too much champagne at lunch".

That would do it!

Do you have any ideas how banks can cost-effectively communicate with customers without raising security concerns? I would be very interested in hearing your views (please be sober). E-mail me at munir.kotadia@zdnet.com.au or talkback below.

Editorial standards